input/grub2.spec
raw · 12.6 KiB
%bcond_with bootstrap
%global debug_package %{nil}
%global grub_niceos_generation 1
Name: grub2
Version: 2.14
Release: 1%{?dist}
Summary: GRUB2 bootloader for operating systems
Summary(ru): Загрузчик GRUB2 для операционных систем
License: GPL-3.0-or-later
URL: https://www.gnu.org/software/grub
Source0: https://ftp.gnu.org/gnu/grub/grub-%{version}.tar.xz
Source2: grub-sbat.csv.in
Source3: niceos-secureboot-signing.x509
Packager: NICE SOFT GROUP LLC (ООО "НАЙС СОФТ ГРУПП") 5024245440 <niceos@ncsgp.ru>
Vendor: NiceSOFT
Distribution: NiceOS.Core
BugURL: https://bugs.niceos.ru/
VCS: https://specs.niceos.ru/rmps/%{name}
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: autoconf-archive
BuildRequires: binutils
BuildRequires: bison
BuildRequires: bzip2-devel
BuildRequires: dejavu-sans-fonts
BuildRequires: device-mapper-devel
BuildRequires: flex
BuildRequires: fuse-devel
BuildRequires: gcc
BuildRequires: gettext-devel
BuildRequires: git
BuildRequires: help2man
BuildRequires: libtasn1-devel
BuildRequires: ncurses-devel
BuildRequires: openssl
BuildRequires: pkgconf
BuildRequires: python3
BuildRequires: rpm-devel
BuildRequires: rpm-libs
BuildRequires: sbsigntools
BuildRequires: squashfs-tools
BuildRequires: texinfo
BuildRequires: xz-devel
BuildRequires: zlib-devel
BuildRequires: libpng-devel
BuildRequires: systemd-devel
BuildRequires: brotli-devel
BuildRequires: freetype2-devel
%description
GRUB2 (the GRand Unified Bootloader) is a flexible boot loader that can load
Linux and other operating systems. It supports many file systems and provides
a configurable and reliable boot process.
%description -l ru
GRUB2 (GRand Unified Bootloader) — гибкий загрузчик, позволяющий выбирать и
загружать Linux и другие операционные системы. Поддерживает множество
файловых систем и предоставляет настраиваемый и надежный процесс загрузки.
%ifarch x86_64
%package pc
Summary: GRUB2 platform support for PC/BIOS systems
Summary(ru): Поддержка платформы GRUB2 для систем PC/BIOS
Requires: %{name} = %{version}-%{release}
%description -n %{name}-pc
This subpackage contains GRUB2 modules and files for the PC/BIOS platform
(i386-pc).
%description -l ru -n %{name}-pc
Подпакет содержит модули и файлы GRUB2 для платформы PC/BIOS (i386-pc).
%endif
%package efi
Summary: GRUB2 platform support for EFI systems
Summary(ru): Поддержка платформы GRUB2 для EFI-систем
Requires: %{name} = %{version}-%{release}
%description -n %{name}-efi
This subpackage contains GRUB2 modules and files for EFI systems.
%description -l ru -n %{name}-efi
Подпакет содержит модули и файлы GRUB2 для EFI-систем.
%package emu
Summary: GRUB2 bootloader emulator
Summary(ru): Эмулятор загрузчика GRUB2
Requires: %{name} = %{version}-%{release}
%description -n %{name}-emu
This subpackage provides a userspace GRUB2 emulator useful for testing and
debugging without rebooting.
%description -l ru -n %{name}-emu
Подпакет содержит пользовательский эмулятор GRUB2, полезный для тестирования
и отладки без перезагрузки системы.
%package efi-image
Summary: EFI boot image for GRUB2
Summary(ru): EFI-образ загрузчика GRUB2
%description -n %{name}-efi-image
This subpackage contains EFI boot images required to install and use GRUB2 on
EFI-capable systems.
%description -l ru -n %{name}-efi-image
Подпакет содержит EFI-загрузочные образы, необходимые для установки и
использования GRUB2 на системах с поддержкой EFI.
%prep
%autosetup -n grub-%{version}
%build
unset {C,CPP,CXX,LD}FLAGS
# Regenerate build system files because GRUB's generated files may need to
# match the current patched source tree.
sh ./autogen.sh
# GRUB 2.14 uses grub-core/extra_deps.lst while generating syminfo.lst.
# Because this spec builds out-of-tree, the file must exist inside every
# separate build directory, not only in the source tree.
create_extra_deps_lst() {
if [ ! -d grub-core ]; then
echo "ERROR: grub-core directory was not created by configure" >&2
exit 1
fi
printf '%s\n' "depends bli part_gpt" > grub-core/extra_deps.lst
if [ ! -s grub-core/extra_deps.lst ]; then
echo "ERROR: failed to create grub-core/extra_deps.lst" >&2
exit 1
fi
}
%ifarch x86_64
rm -rf build-for-pc install-for-pc
mkdir -p build-for-pc
pushd build-for-pc
sh ../configure \
--prefix=%{_prefix} \
--sbindir=%{_sbindir} \
--sysconfdir=%{_sysconfdir} \
--disable-werror \
--disable-efiemu \
--disable-nls \
--with-grubdir=grub2 \
--with-platform=pc \
--target=i386 \
--program-transform-name=s,grub,%{name}, \
--with-bootdir="/boot"
create_extra_deps_lst
%make_build
%make_install DESTDIR=${PWD}/../install-for-pc
popd
%endif
rm -rf build-for-emu install-for-emu
mkdir -p build-for-emu
pushd build-for-emu
sh ../configure \
--prefix=%{_prefix} \
--sbindir=%{_sbindir} \
--sysconfdir=%{_sysconfdir} \
--disable-werror \
--disable-nls \
--with-grubdir=grub2 \
--with-platform=emu \
--target=%{_arch} \
--program-transform-name=s,grub,%{name}, \
--with-bootdir="/boot"
create_extra_deps_lst
%make_build
%make_install DESTDIR=${PWD}/../install-for-emu
popd
rm -rf build-for-efi install-for-efi
mkdir -p build-for-efi
pushd build-for-efi
sh ../configure \
--prefix=%{_prefix} \
--sbindir=%{_sbindir} \
--sysconfdir=%{_sysconfdir} \
--disable-werror \
--disable-efiemu \
--with-grubdir=grub2 \
--with-platform=efi \
--target=%{_arch} \
--program-transform-name=s,grub,%{name}, \
--with-bootdir="/boot"
create_extra_deps_lst
%make_build
%make_install DESTDIR=${PWD}/../install-for-efi
popd
%install
unset {C,CPP,CXX,LD}FLAGS
mkdir -p %{buildroot}%{_sysconfdir}/default \
%{buildroot}%{_sysconfdir}/sysconfig \
%{buildroot}/boot/%{name}
cp -apr install-for-emu/. %{buildroot}/.
cp -apr install-for-efi/. %{buildroot}/.
%ifarch x86_64
cp -apr install-for-pc/. %{buildroot}/.
%endif
touch %{buildroot}/boot/%{name}/grub.cfg
rm -rf %{buildroot}%{_infodir}
# RU: Генерация EFI-образа GRUB2.
# EN: Generate GRUB2 EFI image.
install -d %{buildroot}/boot/efi/EFI/BOOT
sed -e "s,@@VERSION@@,%{version},g" \
-e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \
-e "s,@@GRUB_NICEOS_GEN@@,%{grub_niceos_generation},g" \
%{SOURCE2} > grub-sbat.csv
%ifarch x86_64
efi_platform=x86_64-efi
efi_output=grubx64.efi
efi_modules="fat iso9660 part_gpt part_msdos normal boot linux configfile loopback chain efifwsetup efi_gop efi_uga ls search search_label search_fs_uuid search_fs_file gfxterm gfxterm_background test all_video loadenv exfat ext2 udf halt gfxmenu png tga lsefi help probe echo lvm"
efi_config_arg=
%else
%ifarch aarch64
efi_platform=arm64-efi
efi_output=bootaa64.efi
efi_modules="fat iso9660 part_gpt part_msdos normal boot linux configfile loopback chain efifwsetup efi_gop efinet ls search search_label search_fs_uuid search_fs_file gfxterm gfxterm_background test all_video loadenv exfat ext2 udf halt gfxmenu png tga lsefi help probe echo"
cat > grub-embed-config.cfg << EOF
search.fs_label rootfs root
configfile /boot/grub2/grub.cfg
EOF
efi_config_arg="-c grub-embed-config.cfg"
%else
echo "ERROR: unsupported EFI architecture: %{_arch}" >&2
exit 1
%endif
%endif
test -f "./install-for-efi/%{_libdir}/grub/${efi_platform}/moddep.lst" || {
echo "ERROR: missing GRUB EFI platform directory or moddep.lst: ${efi_platform}" >&2
echo "Available GRUB module directories:" >&2
find ./install-for-efi/%{_libdir}/grub -maxdepth 2 -name moddep.lst -print >&2 || true
exit 1
}
for m in ${efi_modules}; do
test -f "./install-for-efi/%{_libdir}/grub/${efi_platform}/${m}.mod" || {
echo "ERROR: missing GRUB module for ${efi_platform}: ${m}.mod" >&2
exit 1
}
done
./install-for-efi/%{_bindir}/grub2-mkimage \
-d "./install-for-efi/%{_libdir}/grub/${efi_platform}/" \
-o "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}" \
-p /boot/grub2 \
-O "${efi_platform}" \
${efi_config_arg} \
--sbat=grub-sbat.csv \
${efi_modules}
# RU: Подпись EFI-образа для Secure Boot.
# EN: Sign EFI image for Secure Boot.
: "${NICEOS_KERNEL_SIGNING_KEY:?NICEOS_KERNEL_SIGNING_KEY is not set}"
test -r "$NICEOS_KERNEL_SIGNING_KEY"
secureboot_cert=%{SOURCE3}
if openssl x509 -in "$secureboot_cert" -noout >/dev/null 2>&1; then
secureboot_cert_pem="$secureboot_cert"
else
openssl x509 -inform DER -in "$secureboot_cert" -out secureboot-signing.pem
secureboot_cert_pem=secureboot-signing.pem
fi
mv "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}" \
"%{buildroot}/boot/efi/EFI/BOOT/${efi_output}.unsigned"
sbsign \
--key "$NICEOS_KERNEL_SIGNING_KEY" \
--cert "$secureboot_cert_pem" \
--output "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}" \
"%{buildroot}/boot/efi/EFI/BOOT/${efi_output}.unsigned"
sbverify --list "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}"
rm -f "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}.unsigned"
mkdir -p %{buildroot}%{_datadir}/bash-completion/completions
if [ -d %{buildroot}%{_sysconfdir}/bash_completion.d ]; then
if compgen -G "%{buildroot}%{_sysconfdir}/bash_completion.d/*" > /dev/null; then
mv -v %{buildroot}%{_sysconfdir}/bash_completion.d/* \
%{buildroot}%{_datadir}/bash-completion/completions/
fi
rmdir %{buildroot}%{_sysconfdir}/bash_completion.d 2>/dev/null || true
fi
%files
%defattr(-,root,root,-)
%dir %{_sysconfdir}/grub.d
%config %{_sysconfdir}/grub.d/00_header
%config %{_sysconfdir}/grub.d/10_linux
%config %{_sysconfdir}/grub.d/20_linux_xen
%config %{_sysconfdir}/grub.d/30_os-prober
%config %{_sysconfdir}/grub.d/30_uefi-firmware
%config(noreplace) %{_sysconfdir}/grub.d/40_custom
%config(noreplace) %{_sysconfdir}/grub.d/41_custom
%{_sysconfdir}/grub.d/README
%if %{without bootstrap}
%{_mandir}/man1/*
%{_mandir}/man8/*
%endif
%{_bindir}/grub2-protect
%{_bindir}/grub2-editenv
%{_bindir}/grub2-file
%{_bindir}/grub2-fstest
%{_bindir}/grub2-glue-efi
%{_bindir}/grub2-kbdcomp
%{_bindir}/grub2-menulst2cfg
%{_bindir}/grub2-mkfont
%{_bindir}/grub2-mkimage
%{_bindir}/grub2-mklayout
%{_bindir}/grub2-mknetdir
%{_bindir}/grub2-mkpasswd-pbkdf2
%{_bindir}/grub2-mkrelpath
%{_bindir}/grub2-mkrescue
%{_bindir}/grub2-mkstandalone
%{_bindir}/grub2-mount
%{_bindir}/grub2-render-label
%{_bindir}/grub2-script-check
%{_bindir}/grub2-syslinux2cfg
%{_sbindir}/grub2-bios-setup
%{_sbindir}/grub2-install
%{_sbindir}/grub2-macbless
%{_sbindir}/grub2-mkconfig
%{_sbindir}/grub2-ofpathname
%{_sbindir}/grub2-probe
%{_sbindir}/grub2-reboot
%{_sbindir}/grub2-set-default
%{_sbindir}/grub2-sparc64-setup
%{_datadir}/bash-completion/completions/*
%{_datadir}/grub/*
%ghost %config(noreplace) /boot/%{name}/grub.cfg
%{_sysconfdir}/grub.d/25_bli
%{_datadir}/locale/*/LC_MESSAGES/grub.mo
%ifarch x86_64
%files -n %{name}-pc
%defattr(-,root,root,-)
%{_libdir}/grub/i386-pc
%endif
%files -n %{name}-efi
%defattr(-,root,root,-)
%ifarch x86_64
%{_libdir}/grub/x86_64-efi
%endif
%ifarch aarch64
%{_libdir}/grub/*
%endif
%files -n %{name}-emu
%defattr(-,root,root,-)
%{_bindir}/%{name}-emu
%{_bindir}/%{name}-emu-lite
%{_libdir}/grub/*-emu
%files -n %{name}-efi-image
%defattr(-,root,root,-)
/boot/efi/EFI/BOOT/*
%changelog
* Tue May 26 2026 NiceOS Team <support@niceos.ru> - 2.14-1
- BUMP to 2.14
- Backport GRUB2 security fixes for HFS, squash4, UDF, and gettext issues (CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662).
- Reduce pre-boot memory-corruption and secure-boot bypass risk in grub2 modules and boot images.
- Внедрены backport-исправления безопасности GRUB2 для ошибок в HFS, squash4, UDF и gettext (CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662).
- Снижены риски повреждения памяти до загрузки ОС и обхода Secure Boot в модулях и загрузочных образах grub2.
* Fri Jan 09 2026 NiceOS Team <niceos@ncsgp.ru> - 2.12-1
- Initial build for NiceOS (Первая сборка для НАЙС.ОС)